HUER Trojan Downloader Quashed

The Network: The end customer of a well-known Managed Services Provider (MSP) who uses Netsurion’s Co-managed SIEM service to deliver value to their clients.
The Expectation: Netsurion’s Co-managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for MSP customers.
The Catch: After hours (7 p.m. local), an employee was web surfing using Google Chrome and visited a compromised website. The user was lured into downloading installer.exe which in turn launched bowsetup.exe. Many other DLLs were launched, and communication was attempted with a known botnet Command and Control (C&C) server hosted in AWS. All of the launched processes and outbound connection attempts were reported by the EventTracker sensor and acted upon by the Netsurion’s security analyst.
The Find: HEUR:Trojan-Downloader.Script.Generic is a noxious Trojan that opens security “back doors”. It downloads additional malware infections and gives remote attackers full control over the targeted computer system. Once installed on the target, this infection attaches itself to system files and automatically executes corrupt files at system start up. The trojan also collects personal information, and changes or deletes system files.
The Fix: The specific endpoint involved in this incident was identified, along with details of all processes that were launched, and the external IP addresses contacted. Our SOC recommended the following:

  • Isolate the system from the network.
  • Remove the following folders: %APPDATA%[RANDOM CHARACTERSACTERS].js
    HEUR.Trojan.Win32.Generic .sys
    %Desktop%HEUR.Trojan.Win32.Generic .lnk
    HEUR.Trojan.Win32.Generic .lnk
    %DesktopDir%HEUR.Trojan.Win32.Generic .lnk
    %UserProfile%Start MenuPrograms
    Uninstall HEUR.Trojan. Win32.Generic
    %appdata %RoamingMicrosoftWindowsTemplates
    HEUR.Trojan.Win32.Generic .lnk
    %AllUsersProfile%Start MenuPrograms
    HEUR.Trojan.Win32.Generic .lnk
    %LocalAppdata %HEUR.Trojan.Win32.Generic virus
    uninstallHEUR.Trojan.Win32.Generic virus.lnk
    %program files%NPSWF32.dll
  • Make sure that all unwanted registry entries created by the process are removed.
  • Block all the IP addresses communicated by the process in the firewall.
  • Boot the system into safe mode and perform an in-depth anti-virus scan.

The Lesson: Anit-Virus tools, software patching, and network scanners are necessary but not sufficient. An additional level of detection and response are needed to find vulnerabilities that go unnoticed in these traditional controls.